If this is your first visit, be sure to
check out the FAQ by clicking the
link above. You may have to register
before you can post: click the register link above to proceed. To start viewing messages,
select the forum that you want to visit from the selection below.

Well, Befor I start, I have completely no knowlege of ISA at all, but I think I'm ok when it comes to OPSEC related products.

Now, the change should be obvious after documenting your security policy <No not your rulebase, your needs>. What sort of content passes thru your Proxy to your FW? most <if not all> can be monitored by simple INSPECt scripts <Phoneboy's HTTP script for example> that could be coded in no time while in bed, just define a function <#deffunc foobar> that accepts packets and then SNATs them to 0.0.0.0 <this is a special configuration in CP that tells FW-1 to use the outgoing interface's IP address, similar to the concept of MASQ> So, you wouldn't actually need the proxy anymore.

On the other hand, asuming you really need the proxy and can't make without it. Then I suggest you'd go with inivctus' advice. Limit traffic to the FW from the Proxy alone and try to be as strict as possible. Just a small addition, you might want to use the proxy as your small network's FW and leave the heavyload on the FW for the DMZ and other sverers <that's what I do regularly>.

About M$ providing me with a securtiy solution, i think I would not accept it for a simple reason. CP means the OPSEC alliance. In other words, when I bought CPNG I didn't onyl get a FW, I also got support for CVP, PKI, IDS, HA, etc.. from big names that I can relay on, also a good point that CP offers is INSPECT code, wich isn't provided by any opponant. The power of knowing your FW's language means that you guarantee the best of all worlds <simple example is Anti-Spoofing, I used to do it by CP's AS in the GUI, but after doing it by INSPECT code using the nets {} and netsof commands I got really better performance than I ever did.> yet, unfortunantly other competitors have completly ignored providing a language to their FWs making them either inconvineit, corrupted or both :-)

Well, my own Advice,

If your just doing a small network that just needs raw power and not a huge e-commerce site, then go for StoneSoft's StoneGate it has proven to be ten-times better than CP's performance <in my crude tests > but still, I'm a CP-wiz and I will die as a CP-wiz

Ugh, forgot to say this, about your port-scan, this behaviour is a result of CP including fwui_trail.def wich has 'drop' and not 'vanish' drop mangles a packet befor it actually ignores it. This results in the 'closed' if you go thru your INSPECT code and s/drop/vanish, everything should be stealth :-).

Errr...um....INSPECT code? I have no idea how get to that! Thanks for the explanation of why the ports are closed though. I will be using my ISA server as a 'glorified proxy', but I'm definately going to be keeping my FW-1! I just need to learn how to work the damn thing a bit better!
Thanks guys!

INSPECT is CP's core logic. Your rulebase is converted to INSPECT befor it is applied to your fwmodule. Look for *.pf files and in $FWDIR/lib/ those are written in INSPECT.

I'd recommened learning INSPECT ASAP as it is the best way to get raw power outta your box <altough I tend to use the GUI sometimes for creating users and groups, but most of the rest is done using emacs >. You'd really feel a great diffrence....

Note : to add 'vanish' to the GUI, just open $FWDIR/lib/setup.C and add